Re: W32/Sobig-F - Halflife correlation ???

2003-08-28 Thread Owen DeLong
One possibility is that half-life servers are inherently directory services. The list of connected players could be used to encode directory data for the worm to attack. Owen --On Friday, August 22, 2003 8:50 PM -0400 Matt Martini [EMAIL PROTECTED] wrote: I've scanned my Netflow logs for

Re: W32/Sobig-F - Halflife correlation ???

2003-08-28 Thread Owen DeLong
: Saturday, August 23, 2003 1:05 PM Subject: Re: W32/Sobig-F - Halflife correlation ??? On 8/23/03 7:17 AM, Darren Smith [EMAIL PROTECTED] wrote: They were trying to hit servers in multiple subnets, all on ports 270XX. I'm not sure on this. Lots of gaming servers use the 270XX UDP

Re: W32/Sobig-F - Halflife correlation ???

2003-08-26 Thread Darren Smith
Group [EMAIL PROTECTED] Sent: Saturday, August 23, 2003 1:05 PM Subject: Re: W32/Sobig-F - Halflife correlation ??? On 8/23/03 7:17 AM, Darren Smith [EMAIL PROTECTED] wrote: They were trying to hit servers in multiple subnets, all on ports 270XX. I'm not sure on this. Lots of gaming

Re: W32/Sobig-F - Halflife correlation ???

2003-08-26 Thread Adam 'Starblazer' Romberg
[EMAIL PROTECTED]; North American Network Operators Group [EMAIL PROTECTED] Sent: Saturday, August 23, 2003 1:22 PM Subject: Re: W32/Sobig-F - Halflife correlation ??? Hi Just a quick look at my syslog file, where MOO is the name of my ACL. fgrep MOO /var/log/cisco/router.log | grep

Re: W32/Sobig-F - Halflife correlation ???

2003-08-23 Thread Darren Smith
Message - From: Robert Blayzor [EMAIL PROTECTED] To: Matthew E. Martini [EMAIL PROTECTED]; North American Network Operators Group [EMAIL PROTECTED] Sent: Saturday, August 23, 2003 3:05 AM Subject: Re: W32/Sobig-F - Halflife correlation ??? On 8/22/03 8:50 PM, Matt Martini [EMAIL PROTECTED

Re: W32/Sobig-F - Halflife correlation ???

2003-08-23 Thread Robert Blayzor
On 8/23/03 7:17 AM, Darren Smith [EMAIL PROTECTED] wrote: They were trying to hit servers in multiple subnets, all on ports 270XX. I'm not sure on this. Lots of gaming servers use the 270XX UDP range. Quake3, HL, etc. It may be possible it's just probing for other HL servers running on

Re: W32/Sobig-F - Halflife correlation ???

2003-08-23 Thread Darren Smith
PM Subject: Re: W32/Sobig-F - Halflife correlation ??? On 8/23/03 7:17 AM, Darren Smith [EMAIL PROTECTED] wrote: They were trying to hit servers in multiple subnets, all on ports 270XX. I'm not sure on this. Lots of gaming servers use the 270XX UDP range. Quake3, HL, etc. It may

Re: W32/Sobig-F - Halflife correlation ???

2003-08-22 Thread Robert Blayzor
On 8/22/03 8:50 PM, Matt Martini [EMAIL PROTECTED] wrote: I've scanned my Netflow logs for activity associated with the 20 machines that SoBig was targeting and I found some very curious activity. If what you claim is correct, this could be very bad. The virus is already there on many

RE: W32/Sobig-F - Halflife correlation ???

2003-08-22 Thread Jim Popovitch
-Original Message- From: Matt Martini Sent: Friday, 22 August, 2003 20:51 To: North American Network Operators Group Subject: W32/Sobig-F - Halflife correlation ??? Are there any halflife vunerabilies that the virus writers are using? There are many hl vulnerabilities,